@H_502_2@
1 概述@H_502_2@
ELK套件(ELK stack)是指ElasticSearch、Logstash和Kibana三件套。这三个软件可以组成一套日志分析和监控工具。@H_502_2@
由于三个软件各自的版本号太多,建议采用ElasticSearch官网推荐的搭配组合:@H_502_2@http://www.elasticsearch.org/overview/elkdownloads/
2 环境准备@H_502_2@
具体的版本要求如下:@H_502_2@
操作系统版本:CentOS 6.4;@H_502_2@
JDK版本:1.7.0;@H_502_2@
Logstash版本:1.4.2;@H_502_2@
ElasticSearch版本:1.4.2;@H_502_2@
Kibana版本:3.1.2;@H_502_2@
2.2 防火墙配置@H_502_2@
为了正常使用HTTP服务等,需要关闭防火墙:@H_502_2@
[plain]@H_502_2@view plain@H_502_2@copy@H_502_2@
#serviceiptablesstop@H_502_2@
或者可以不关闭防火墙,但是要在iptables中打开相关的端口:@H_502_2@
#vim/etc/sysconfig/iptables@H_502_2@
-AINPUT-mstate--stateNEW-mtcp-ptcp--dport80-jACCEPT@H_502_2@
-AINPUT-mstate--stateNEW-mtcp-ptcp--dport9200-jACCEPT@H_502_2@
-AINPUT-mstate--stateNEW-mtcp-ptcp--dport9292-jACCEPT@H_502_2@
#serviceiptablesrestart@H_502_2@
3 安装JDK@H_502_2@
ElasticSearch和Logstash依赖于JDK,所以需要安装JDK:@H_502_2@
#yum-yinstalljava-1.7.0-openjdk*@H_502_2@
#java-version@H_502_2@
4 安装ElasticSearch@H_502_2@
ElasticSearch默认的对外服务的HTTP端口是9200,节点间交互的TCP端口是9300。@H_502_2@
下载ElasticSearch:@H_502_2@
copy@H_502_2@
- #mkdir-p/opt/software&&cd/opt/software@H_502_2@
#sudowgethttps://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.2.tar.gz@H_502_2@
#sudotar-zxvfelasticsearch-1.4.2.tar.gz-C/usr/local/@H_502_2@
#ln-s/usr/local/elasticsearch-1.4.2/usr/local/elasticsearch@H_502_2@
安装elasticsearch-servicewrapper,并启动ElasticSearch服务:
@H_502_2@
#sudowgethttps://github.com/elasticsearch/elasticsearch-servicewrapper/archive/master.tar.gz@H_502_2@
#sudotar-zxvfmaster@H_502_2@
#mv/opt/software/elasticsearch-servicewrapper-master/service/usr/local/elasticsearch/bin/@H_502_2@
#/usr/local/elasticsearch/bin/service/elasticsearchstart@H_502_2@
测试ElasticSearch服务是否正常,预期返回200的状态码:
#curl-XGEThttp://localhost:9200@H_502_2@
5 安装Logstash@H_502_2@
Logstash默认的对外服务的端口是9292。@H_502_2@
下载Logstash:@H_502_2@
#sudowgethttps://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz@H_502_2@
#sudotar-zxvflogstash-1.4.2.tar.gz-C/usr/local/@H_502_2@
#ln-s/usr/local/logstash-1.4.2/usr/local/logstash@H_502_2@
简单测试Logstash服务是否正常,预期可以将输入内容以简单的日志形式打印在界面上:
#/usr/local/logstash/bin/logstash-e'input{stdin{}}output{stdout{}}'@H_502_2@
创建Logstash配置文件,并再次测试Logstash服务是否正常,预期可以将输入内容以结构化的日志形式打印在界面上:
#mkdir-p/usr/local/logstash/etc@H_502_2@
#vim/usr/local/logstash/etc/hello_search.conf@H_502_2@
input{@H_502_2@
stdin{@H_502_2@
type=>"human"@H_502_2@
}@H_502_2@
@H_502_2@
output{@H_502_2@
stdout{@H_502_2@
codec=>rubydebug@H_502_2@
elasticsearch{@H_502_2@
host=>"10.111.121.22"@H_502_2@
port=>9300@H_502_2@
#/usr/local/logstash/bin/logstash-f/usr/local/logstash/etc/hello_search.conf@H_502_2@
6 安装Kibana@H_502_2@
CentOS默认预装了Apache,所以将Kibana的代码直接拷贝到Apache可以访问的目录下即可。
#sudowgethttps://download.elasticsearch.org/kibana/kibana/kibana-3.1.2.tar.gz@H_502_2@
#sudotar-zxvfkibana-3.1.2.tar.gz@H_502_2@
#mvkibana-3.1.2/var/www/html/kibana@H_502_2@
修改Kibana的配置文件,把elasticsearch所在行的内容替换成如下:
#vim/var/www/html/kibana/config.js@H_502_2@
elasticsearch:"http://10.111.121.22:9200",@H_502_2@
启动一下HTTP服务:
#servicehttpdstart@H_502_2@
修改ElasticSearch的配置文件,追加一行内容,并重启ElasticSearch服务:
#vim/usr/local/elasticsearch/config/elasticsearch.yml@H_502_2@
http.cors.enabled:true@H_502_2@
#/usr/local/elasticsearch/bin/service/elasticsearchrestart@H_502_2@
然后就可以通过浏览器访问Kibana了:
http://10.111.121.22/kibana@H_502_2@
现在,在之前的Logstash会话中输入任意字符,就可以在Kibana中查看到日志情况。@H_502_2@
7 配置Logstash@H_502_2@
再次创建Logstash配置文件,这里将HTTP日志和文件系统日志作为输入,输出直接传给ElasticSearch,不再打印在界面上:
#vim/usr/local/logstash/etc/logstash_agent.conf@H_502_2@
input {@H_502_2@
file {@H_502_2@
type => "http.access"@H_502_2@
path => ["/var/log/httpd/access_log"]@H_502_2@
}@H_502_2@
@H_502_2@
type => "http.error"@H_502_2@
path => ["/var/log/httpd/error_log"]@H_502_2@
type => "messages"@H_502_2@
path => ["/var/log/messages"]@H_502_2@
}@H_502_2@
}@H_502_2@
output {@H_502_2@
elasticsearch {@H_502_2@
host => "123.206.211.52"@H_502_2@
port => 9300@H_502_2@
#/usr/local/logstash/bin/logstash-f/usr/local/logstash/etc/logstash_agent.conf&@H_502_2@
现在,一个简单的日志分析和监控平台就搭建好了,可以使用Kibana进行查看。@H_502_2@
